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Description 

BACKGROUND OF THE INVENTION 

5 [0001] The present invention relates generally to securing cryptographic systems against external attacks and, more 
specifically, to cryptographic processing devices and methods for the minimization and masking of useful information 
available by external monitoring of cryptographic operations. 

[0002] As described in US Patent 4,908,038 to Matsumura et al., cryptographic devices can be attacked using infor- 
mation gathered by observing the timing of comparison operations performed by such devices during their operation. 
10 For example, if a MAC (Message Authentication Code) algorithm is strong and the key is secure, forging a MAC should 
require 0(2^) attempts (where n is the MAC length in bits), but a device using a vulnerable MAC validation process is 
vulnerable to an 0(n) timing attack. 

[0003] If timing is the only source of leaked information, securing the device is often relatively straightforward. For 
example, European Patent Specification EP-A-0 660 562 to Sprunk discloses techniques for making clock edges un- 
15 predictable to help deter attacks that involve synchronizing attacker actions with the target device. Specifically, this may 
be useful against glitching attacks, many of which require that the attacker know the precise moment to send a power 
or clock spike to the target. 

[0004] Still other previously known countermeasures to attacks involving information leaking from cryptosystems 
employ large and often expensive physical shielding and/or careful filtering of inputs and outputs (e.g., US government 
20 Tempest descriptions). . ■ 

[0005] Unfortunately, these techniques are difficult to apply in constrained engineering environments. For example, 
physical constraints (such as size and weight), cost, and the need to conserve power can often prevent the use of such 
techniques. It is also known to use certain computational techniques to equalize timing (e.g., see Matsumura, above, 
or P. Kocher "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems" Advances in Cryp- 
ts tology-CRYPTO'96, Springer- Verlag, 1 996, pages 1 04-1 1 3). 

[0006] However, sources of information leakage other than timing (e.g., a device's power consumption) provide other 
avenues of attack. For example, Sprunk fails to address the more difficult problem of security weaknesses resulting from 
correlations between externally-measurable characteristics of a device and secret keys. EP-A-0 809 905 to Reiner is 
allegedly directed to concealing when computational operations conclude. Reiner states that power consumption of a 
30 device's output register should not change, but provides no disclosure of how to enable this capability. Finally, Matsu- 
mara's timing equalisation system itself can be vulnerable to non-timing attacks, for example, by analysing power con- 
sumption to detect the start of processing delays. It would therefore be advantageous to protect the devices' internal 
operations themselves instead of (or in addition to) simply externally masking the devices* timing (or other) fluctuations. 
[0007] The present invention includes countermeasures that can be incorporated into software and/or hardware, to 
35 provide improved protection at relatively low cost. Thus, the invention could be used in place of (or in addition to) traditional 
countermeasures. For example, the present invention can be implemented in Smartcards and other highly constrained 
environments where physical shielding and other protection measures cannot be readily applied. 

SUMMARY OF THE INVENTION 

40 

[0008] The invention in its various aspects is defined in the independent claims below, to which reference may now 
be made. Advantageous features are set forth in the dependent claims. 

[0009] According to one embodiment, the present invention provides techniques for modifying the computational 
processes in implementations of cryptographic algorithms to incorporate new random information, beyond the input 

45 parameters that are traditionally used, while still producing desired results. Definitions and standards for cryptographic 
algorithms require that implementations of such algorithms produce specific outputs from given inputs. For example, 
implementations of the Data Encryption Standard (DES) defined in National Bureau of Standards Federal Information 
Processing Standard Publication 46 (Jan. 1977) should encrypt the message 0011223344556677 with the key 
01 23456789ABCDEF (with standard odd DES key parity bits) to produce the ciphertext CADB6782EE2B4823. However, 

so implementers of this and other algorithms can choose the particular processing steps used to transform the inputs into 
the outputs. Thus, by modifying the computational processes to incorporate new random information, secret information 
that might be sought by an attacker (such as the key or other secrets) can be concealed within or among random (or 
otherwise unpredictable) information incorporated into the cryptographic operations. Information leaked during the sys- 
tem's operation will then be correlated to the unpredictable state information (or noise), making leaked information less 

55 useful to attackers. Said another way, leaked information can be made effectively uncorrelated (or less correlated) to 
the device's secrets. Some particular embodiments of this general approach will be described below. One embodiment 
of the invention also provides for the added unpredictable information to be updated frequently to prevent attackers from 
using monitoring attacks to determine the state information itself. 
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[0010] An attacker's measurements of an operating device are often imperfect, and contain both information that is 
useful ("signal") and information that hinders or is irrelevant to interpretation of the signal ("noise"). (In addition, there 
may be irrelevant components of the measurements, such as predictable information, that neither helps nor hinders 
attacks.) To increase the difficulty of attack, one embodiment of the present invention increases the amount of noise in 

5 attackers' measurements and/or increases the signal complexity. 

[001 1 ] Still other embodiments of the general technique include software- and hardware-implementable clock skipping 
(to prevent the temporal correlation of specific operations with clock transitions provided by or observable by attackers), 
symmetric permutation blinding, and the introduction of entropy into the order of cryptographic operations. Such tech- 
niques are usable to prevent attackers from correlating observations with specific events within the cryptosystem's 

10 operation. 

[0012] All of the foregoing will be explained in greater detail with respect to the figures and detailed description of the 
invention, below. 

BRIEF DESCRIPTION OF THE DRAWINGS 

15 

[0013] 

FIG. 1 illustrates an exemplary apparatus for introducing noise into a cryptosystem. 
20 FIG. 2 illustrates an exemplary apparatus for implementing clock skipping. 

DETAILED DESCRIPTION OF THE INVENTION 

[001 4] The following sections describe various embodiments of a general technique of using unpredictable information 
25 to protect cryptographic systems (cryptosystems) against external monitoring attacks. Although the embodiments differ 
in the details of their implementations, those skilled in the art will appreciate the fundamental commonality in their 
essential operation - using randomness or other sources of unpredictability to decorrelate secret information from ex- 
ternally monitorable signals in such a way that deters external monitoring attacks (including those involving statistical 
accumulation and analysis of collected data) upon cryptographic systems. 

30 

Reduction of Signal-to-Noise Ratios 

[0015] Unless noted otherwise, it shall be assumed herein that leakage (or the reducing, masking, or minimizing 
thereof) refers to the leakage (or the reducing, masking, or minimizing thereof) of any information that is potentially useful 
35 to an attacker trying determine secret information. Thus, the leaked information includes the secret information itself, 
but also other information pertaining to that secret information. Of course, the attacked device may also leak information, 
such as information correlated to its internal processing operations, that is not useful to attackers. However, such leakage 
of non-useful information is not relevant to this description of the present invention. 

[0016] To obtain a secret key from a cryptosystem that leaks information, an attacker can gather data by observing 

*o a series of operations, perform statistical analysis on the observations, and use the results to determine the key. In a 
common situation, an attacker monitors a physical property, such as power consumption, of a secure token as it performs 
a cryptographic operation. The attacker collects a small amount of data related to the key each time the token is observed 
performing a cryptographic operation involving the key. The attacker increases the amount of information known about 
the key. by collecting and statistically correlating (or combining) data from multiple observations of the token as it performs 

45 operations involving the key (or a related key). 

[001 7] In the case of a cryptosystem which is leaking information, such observations may contain signal (i.e. , information 
correlated usefully to the key). However, such observations also contain noise (i.e., information and error that hinder or 
are irrelevant to determination of the key). The quality of the information gained from these observations is characterized 
by a "signal to noise" (or S/N) ratio, which is a measure of the magnitude of the signal compared to the amount of noise. 

so [001 8] The number of operations that the attacker must analyze to recover the key depends on the measurement and 
analysis techniques, but is generally inversely proportional to the square of the S/N ratio. The constant of proportionality 
also depends upon the amount of confidence the attacker requires. For example, a relatively low confidence level may 
be acceptable to an attacker willing to do an optimized brute force search using statistical information about key bit 
values. Decreasing the signal by a factor of 15 and increasing the amount of measurement noise by a factor of 20 will 

55 reduce the signal-to-noise ratio by a factor of 300. This will generally mean that an attacker will require roughly 90,000 
times as many observations to extract the same amount of information about the key. An attack requiring 1 ,000 obser- 
vations to recover a key before the S/N reduction would now require on the order of 90 million observations to gain the 
same level of confidence in the recovered key. 
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[0019] Thus, one approach according to the general technique of using unpredictable information to protect crypto- 
systems against external monitoring attacks is to implement cryptographic protocols so as to produce unpredictable 
state information, thereby increasing the number of observations required by an attacker to compromise a key. By 
reducing the available signal size and/or increasing the amount of error, noise, and uncertainty in attackers' measure- 

5 ments, a system designer can make the so-called work function (effort required) to break a system larger. 

[0020] The system can be made even more secure by making the number of samples required to gain any significant 
amount of useful key information exceed the maximum number of transactions that can be performed using the key, 
exceed the number of transactions that can be performed by the device (e.g., before the key expires), or else be so 
large that monitoring attacks are comparable to (or of greater difficulty than) brute force and other known attacks. For 

10 example, consider a system programmed to self-destruct after one million operationswell beyond the expected operational 
life of most smartcards. If a design not using the present invention requires five operations to break, and the present 
invention reduces the signal-to-noise ratio by a factor of 1000, the number of operations required to break the system 
(i.e., isolate the signal or key from the noise) might increase by a factor of roughly one million (i.e., to approximately 5 
million) exceeding the lifetime of the secret or the device. Thus, attackers will be unable to collect enough measurements 

15 to compromise the secret. 

Random Noise Generation 

[0021] An exemplary apparatus for introducing noise into a cryptosystem is illustrated in FIG. 1. In FIG. 1, noise 
20 production system 100 includes randomness source 101, noise processing module 102 (such as, without limitation, a 
linear feedback shift register or a hash function-based compression function), activation controller 103, digital/analog 
converter 104, and noise production module (105). Other noise production systems including none, any, or all of the 
components of FIG. 1 can also be used within the scope of the present invention. 

[0022] Randomness source 101 creates the initial noise used to generate unpredictable information. Randomness 
25 source 101 can be implemented in hardware or software. It is preferable that the random number generator be imple- 
mented in hardware because hardware implementations typically maintain less state information that can be subject to 
attack. If random numbers are generated via software, care should be taken to ensure that attackers cannot compromise 
the random number generator state and predict future random number generator outputs. For example, to help make 
a software random number generator resist external monitoring attacks, an implementation may incorporate extra state 
30 information and update its state frequently. Of course, as will be appreciated by those skilled in the art, truly random 
numbers are not always necessary or available. Therefore, as used herein, any term described as "random" will be 
understood to include truly random, and also pseudorandom or otherwise unpredictable, information suitable to, and 
depending on, the nature of the particular application at hand. 

[0023] Where randomness source 101 is an analog source, its output is first converted to digital form, for example 
35 using digital/analog converter 104. The digital output produced by randomness source 101 or digital/analog converter 
1 04 is then provided as an input to noise processing module 1 02. Noise processing module 1 02 converts the initial noise 
(which may be biased or have other nonrandom characteristics) into either statistically random noise or noise with desired 
characteristics (for example, random but with a nonlinear statistical distribution). 

[0024] Many cryptosystems spend a relatively small fraction of total processing time performing security-critical op- 

40 erations. Therefore, the activation controller 103 can be configured so that the noise production process is activated 
during operations in which security is important (such as, without limitation, encryption, decryption, digital signing, data 
comparison, MAC verification, code verification, audit log updating, EEPROM update, and key changing), but is deac- 
tivated during non-security critical operations. A noise production activation control can thus greatly reduce many of the 
potential disadvantages of such a noise system (such as increased power consumption, reduced performance, increased 

45 electromagnetic radiation, decreased reliability, increased heat production, etc.). Activation controller 1 03 can be imple- 
mented in any of a variety of ways, including without limitation in a microprocessor cryptographic accelerator, or other 
well-known controller device that disables power to one or more elements of noise production system 100, forces the 
output of randomness source 101 (or mixer) to a particular value, forces the input or output of digital/analog converter 
104 to a particular value, or disables noise production module 105. 

so [0025] When activation controller 103 enables noise production system 100, random output from noise processing 
module 102 is provided to digital/analog (D/A) converter 104. The D/A output is provided to noise production module 
105, which is configured to sink power, produce electromagnetic radiation, or otherwise introduce noise into attackers' 
measurements, where the noise produced is a function of the D/A input. The noise production module thus introduces 
noise into attackers' measurements, increasing the difficulty of external monitoring attacks. Digital/analog conversion 

55 methods are known in the background art, and need not be described in detail here. For example, an array of current 
sources (e.g., transistors) and/or current sinks (e.g., resistors), as well as many other well known techniques can be used. 
[0026] In an embodiment where randomness source 101 is an analog noise source, noise production module 105 can 
operate using the output of randomness source 101 as a direct input Activation controller 103 can then operate by 
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regulating the output of randomness source 101 1 or enabling and disabling noise production module 105. 
[0027] To prevent noise from being observably correlated to clock transitions or other externally-measurable events, 
multiple noise production modules may be deployed and driven simultaneously from the same or different random 
sources. Alternatively, the noise processing module can be used to combine outputs from multiple noise sources and/or 

5 provide inputs to multiple noise production modules. Also, because microprocessor current usage profiles (and other 
externally measurable characteristics such as E/M radiation) are instruction-dependent and carry significant detail within 
each clock period, it may be advantageous to drive noise production modules faster than (or independently from) the 
clock rate applied to cryptosystem microprocessor. For example, noise production modules may include delay lines that 
temporally isolate their outputs from those of the others, or they may be clocked independently, or they may be free- 

10 running. 

[0028] All of the foregoing components may be implemented separately or in various combinations, using analog or 
digital techniques as appropriate. Those skilled in the art will also appreciate that various of the components can be 
implemented in hardware, or even software, although hardware implementations will generally provide greater security. 
For example, the noise source can be integrated within the cryptosystem microprocessor itself. In single-chip environ- 
is ments (such as smartcards and secure microprocessors), the noise source and noise control circuitry can be integrated 
into the same chip that contains the microprocessor, secure memory, I/O interface, etc. 

[0029] The signal-to-noise reduction techniques described herein may be implemented for use in various environments, 
including without limitation key management and storage systems, cryptographic accelerators (e.g., hardware DES 
implementations, multipliers, fast modular exponentiators, hash functions, etc.), nonvolatile memory (e.g., EEPROM, 
20 flash, etc.), data communication interfaces, buses, and (as will be evident to one of ordinary skill in the art) other 
computational devices and methods used in cryptographic operations. 

Clock Skipping 

25 [0030] Another approach to the general technique of using unpredictable information to protect cryptosystems against 
external monitoring attacks involves what will be referred to herein as clock skipping (or clock decorrelation). 
[0031] During statistical attacks using power consumption or electromagnetic radiation, attackers typically compare 
measurements from several different operations against each other. For example, an attacker might make a sequence 
of observations by sampling the target device's power consumption at 200 MHz during a 5ms portion of each of 1 ,000 

30 cryptographic operations done by the target device. For this exemplary attack, 1,000 observations each containing 
1 ,000,000 data points are thus collected. The attacker would then align these measurements so that the data points 
corresponding to a single point of interest can be compared and analyzed across a large number of observations. 
[0032] Therefore, security can be improved by preventing attackers from locating points of interest within collected 
data sets and from identifying corresponding regions between observations. Indeed, causing an attacker to include 

35 incorrectly-aligned data is one way to decrease the effective signal-to-noise ratio of the attacker's data (see previous 
section), since the noise increases significantly (due to the inclusion of uncorrelated samples) and the useful signal 
decreases (due to the presence of fewer good samples). 

[0033] Without accurate temporal alignment, the temporal resolution of the attacker's observations decreases greatly, 
making it much more difficult for the attacker to identify a signal containing fine structure. For example, a "V bit in a 

40 secret or private cryptographic key might statistically result in a power feature consisting of a VA increase above average 
for 2 jis followed immediately by a decrease to 2fi.A below average for 1 jjls, while a "0" key bit might result in a power 
feature consisting of a 1 \lA decrease below average for 2 jis followed by a 2^A increase above average for 1 ^s. 
Differentiating such signals is easy with sub-microsecond resolution, but can be extremely difficult or impossible with 
only millisecond resolution unless an extraordinarily large number of samples is taken. Of course, small temporal align- 

45 ment variations may not be able to conceal signal characteristics that are of large amplitude or of long duration (e.g., 
comparable to or larger than the size of the alignment variations). In general, then, poor temporal alignment will reduce 
an attacker's ability to identify fine variations within operations and significantly increase the number of measurements 
required for a successful attack. 

[0034] Many conventional systems, including commonly available smartcards, simply use external clocks for their 
so cryptographic operations -- even though attackers can freely observe and manipulate the external clock. This greatly 
facilitates the ability of attackers to make the measurements necessary to attack the system. One embodiment of the 
present invention uses clock skipping (or clock decorrelation) to inhibit such attacks by reducing attackers' ability to 
predict the system state. Clock skipping involves decorreiating cryptographic operations from the normal (external) clock 
cycles by creating a separate, internal clock signal that is used to control processor timing during cryptographic operations. 
55 While externally-measurable characteristics (particularly power consumption and electromagnetic radiation) can reveal 
when some internal clock cycles occur, clock skipping will make them much more difficult for an attacker to accurately 
locate points of interest in measurements, particularly if noise is introduced into the signal using the techniques of the 
present invention. This will be described in more detail below with respect to an example of the invention, illustrated in 
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FIG. 2. 

[0035] Referring now to FIG. 2. random number generator 200 (which can be, but need not be, implemented in 
hardware) is used to determine which clock cycles (or clock state transitions) are to be used by microprocessor core 
225. Random number generator 200 produces a stream of random (or pseudorandom) digital output bits or analog noise 
as random output 205. Clock skipping module 240 then combines (as will be described below) random output 205 with 
clock signal 220 received from external smartcard interface 210. Of course, clock signal 220 can also originate from 
another source (for example, if the invention is implemented in environments other than smartcards). In embodiments 
where random number generator 200 itself uses an external clock signal (e.g., where a random bit is output on each 
clock state transition), random number generator 200 can, but need not, use clock signal 220. 
[0036] Within clock skipping module 240, random output 205 is used to select cycles of clock signal 220 to skip in 
order to produce clock signal 260. Alternatively, random output 205 can be used to select the closest corresponding 
cycles of clock signal 220 to be used as clock signal 260, or random output 205 can even be used as clock signal 260 
itself. Still other approaches are possible, as will be appreciated by those skilled in the art; the basic point being that 
clock signal 260 be (partially or wholly) decorrelated from external clock signal 220 via random output 205. 
[0037] If desired, clock skipping module 240 can optionally apply a filter to clock signal 260 to ensure desired char- 
acteristics. For example, to ensure a minimum clock rate (as opposed to a statistical average), a transition of clock signal 
260 may be forced after more than a threshold number of cycles of clock signal 260 have been skipped, either recently 
or consecutively (e.g., a transition of clock signal 260 can be forced if clock signal 260 has not changed during more 
than three transitions of clock signal 220.) 

[0038] Additionally, clock skipping module 240 can optionally monitor the clock rate (of either clock signal 220 or 260) 
to prevent attackers from stopping the clock and analyzing the device in a halted state or from operating the device too 
quickly. When module 240 detects such a clock fault, it can reset microprocessor core 225, clear memory 290 (which 
can be nonvolatile RAM, such as battery-backed CMOS, EEPROM, flash memory, a hard disk, or other such storage 
used to store the key and/or other information), clear the state of cryptographic accelerator 280. and log the fault in 
memory 290. Methods and apparatuses for detecting such clock faults are well known in the background art and need 
not be described in detail here. 

[0039] In another example, clock skipping module 240 and microprocessor 225 are combined, such that random 
output 205 can force microprocessor 225 to skip clock cycles. For example, when microprocessor 225 is directed to 
skip a clock cycle (such as when three output bits equal to zero are received in random output 205), the result of the 
current or next instruction (or clock cycle) executed by the microprocessor is discarded and repeated. 
[0040] In all of the foregoing, it should be noted that the fraction of skipped clock cycles does not need to be very 
large; for example and without limitation, even skipping as few as one clock cycle in 20 (on average) will introduce 
significant measurement drift. 

[0041] One consideration introduced by clock skipping is the effect on other functions of the system besides the 
cryptographic operations. In particular, clock skipping may sometimes adversely affect operations requiring regular clock 
cycles. For example, in many smartcards, one bit is sent or received on a serial I/O (input/output) line every 372 cycles 
of the external clock. (Thus, a 3.579545 MHz external clock is compatible with a serial communication rate of 9600 bits 
per second.) However, with clock decorrelation, microprocessor 225 will operate at a different clock rate governed by 
signal 260. A mismatch between the data communications clock rate and the microprocessor clock rate may result, 
causing I/O errors to occur. Consequently, in devices implementing clock skipping, it is often advantageous for the 
microprocessor to be controlled by external clock 220 during I/O operations. 

[0042] This can be implemented via clock skipping activation signal 230, which is used to select between external 
clock signal 220 and the (modified) internal clock that would otherwise be produced by clock skipping module 140. As 
with the noise generator activation signal of FIG. 1, clock skipping activation signal 220 can be produced by a micro- 
processor or any other control device that is capable of knowing when to apply (or not apply) the clock skipping. Selection 
of whether or not to clock skip at any particular time can be performed by many well-known techniques that need not 
be described in detail here. For example, in the exemplary embodiment of FIG. 2, microprocessor 225 is well suited for 
such a task because it is necessarily aware of I/O operations associated with the receipt of data signals 270. In general, 
when I/O is performed or when other non-security-critical operations are in progress, microprocessor core 225 can assert 
control signal 230 to cause clock skipping module 240 to ignore random output 205 and provide external clock signal 
220 directly as clock signal 260. Control signal 230 and the noise production activation control signal described previously 
can, but need not be the same signal. 

[0043] In an alternative solution to the synchronization failure problem, two separate clocks are used. A conventional 
external clock signal is used for I/O and other processing, where clock skipping is not needed to protect secret information. 
However, an internal clock signal, preferably but not necessarily generated in the device (for example, produced using 
a ring oscillator, which is well known in the background art), is used for internal (e.g., cryptographic) processing. Thus, 
internal operations need not proceed at a speed related to or derived from the external clock rate. The internal clock 
may be distorted or skipped, for example, as described above. Alternatively, or in addition, where an analog process is 
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used to generate the internal clock, significant sources of randomness can also be incorporated to adjust the frequency, 
drift, and jitter of the clock signal to prevent accurate prediction of clock state transitions. Clock signal selection can be 
performed by microprocessor 225 as mentioned previously. Another technique, which is especially suitable for, but not 
limited to smartcards, uses a UART (universal asynchronous receiver/transmitter) or other buffer between the internally 

5 clocked region and the external I/O interface to ensure that communications over the external serial I/O interface are 
clocked at a rate corresponding to the externally-supplied clock but may be accessed reliably by internally-clocked circuits. 
[0044] In yet another approach, the internally-generated clock signal can be derived from the external clock signal. 
This can be performed via an analog phase-locked loop, which is well known in the background art and need not be 
described in detail here. Such an internal clock will be rather closely correlated with the external clock, and therefore 

10 not as effective against attacks as the randomized clock signal or two separate clocks described previously. (Of course, 
its effectiveness can be improved by optionally using clock skipping or analog (or other) noise sources to adjust the 
frequency, drift, and jitter of its signal.) Also, when synthesizing the internal clock from the external clock, the clock- 
derivation circuitry can be configured to restrict the rate of the internal clock frequency, for example, to enforce a minimum 
internal clock frequency so that attackers cannot stop the clock and attack the device in the stopped state. The derived 

is internal clock signal exhibits a number of useful properties that will be described in the following paragraph. 

[0045] One useful property of such a slightly decorrelated internal clock is that it may be sufficiently close to the external 
clock that it may be used to control I/O rates reliably. In addition, because a phase-locked loop can continue to produce 
a valid clock signal even if the external clock changes or is removed, microprocessor 225 can continue operating so 
that it can detect and even respond to attacks. that involve halting, removing, or altering the external clock while power 

20 is connected. The use of an internally-generated clock additionally provides protection against attacks involving the 
introduction of errors into computations. For example, jitter or high frequencies supplied to the external clock would 
cause harmless communication errors, but would be prevented from causing erroneous computations. Because a phase 
locked loop, can produce an internal clock signal that is a multiple of the external clock signal, it is possible to clock 
cryptographic operations at a rate faster than the external clock, providing improved performance. In smartcards with 

25 challenging performance requirements (such as those that run interpreted codes such as Java), this is an added benefit. 
[0046] All of the foregoing paragraphs describe various ways to. generate a second, internal clock signal: via rand- 
omization, via a separate clock, or via derivation from the external clock. In all of these cases, the internal clock can also 
be used to monitor the external clock to detect abnormalities introduced by attackers. Regardless of whether the clock 
is produced internally or derived from the external clock, the microprocessor can have the option of selecting between 

30 multiple clock modes. For example, a slower mode might be used if it has a lower probability of computation error, a 
faster mode might be used when improved performance is needed, and clock skipping or other clock distortion might 
be activated when resistance to external monitoring attacks is desired. 

[0047] Much of the foregoing has been described with respect to hardware techniques for clock decorrelation (e.g., 
second clocks or phase-locked loops), but clock decorrelation can also be effected by software as will be described 
35 below. This is useful, for example, where the environment does not allow for hardware-based clock skipping. Alternatively, 
hardware clock decorrelation could be supplemented with software-based clock decorrelation for even greater protection 
in security critical code segments. 

[0048] One efficient software-implementable technique for clock decorrelation takes advantage of the fact that the 
amount of time used for a process with a conditional jump can vary depending on whether or not the jump is actually 
40 performed. In such cases, inserting branch delays can be used as a form of clock decorrelation. For example, the 
assembly language clock randomizer below uses a random generator to introduce clock variations that can help prevent 
accurate alignment by an attacker: 



50 



55 



Assembly Language Clock Randomizer: 
[■-'.] 

inp reg5, RAN DOM_G EN ERATO R 
add reg5,reg5 
ore celayl 
nop 
delayl : 
I. ..J 

add regS; reg5 
brc delay_2 

3 put any code here 
delay2 : 
[. ■ .] 



# get a random byte 

# shift regS left ence 
» branch i f carry 

# extra delay if bit is C 
8 continue execution 

# ... more code ... 

# shift regS left again 
ft branch if carry 

# obfuscating code/delay 

# continue execution 
I . . .more code . . . 
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[0049] In an alternative embodiment, instead of using random information to determine whether to take a delay branch, 
the random information may be used to select between parallel code processes, such that the same cryptographic result 
will be produced regardless of which code process is selected but where the parallel processes perform different oper- 
ations toward producing the result. 

5 [0050] This section has described temporal obfuscation techniques that are useful in preventing reliable identification 
and alignment of specific features in measurements of cryptographic device characteristics such as power consumption 
and electromagnetic radiation. However, such techniques may not always be sufficient for preventing attacks based on 
timing, since introduced timing delays will have a predictable statistical distribution for which attackers can compensate. 
Another embodiment of the general technique of implementing cryptographic protocols using unpredictable information, 

jo described below, is useful in (but is not limited to) such contexts. 

Execution Path and Operation Order Entropy 

[0051 ] Another approach to the general technique of using unpredictable information to protect cryptosystems against 
15 external monitoring attacks involves the introduction of entropy into the order of processing operations or into the execution 
path while maintaining desired functionality (such as compatibility with standard cryptographic algorithm definitions). 
More specifically, a device can use a random number generator to cause unpredictability in the order of performing a 
sequence of suboperations. If attackers cannot accurately determine the order in which operations were performed, 
cross-correlation between samples becomes more difficult or impossible. Consequently the data collected by an attacker 
20 effectively has a significantly lower signal-to-noise ratio. 

[0052] As an illustrative example of operation order entropy, consider a bit permutation. Permutations are widely used 
in cryptography, for example in the Data Encryption Standard and other cryptographic algorithms. The following C 
language pseudocode illustrates a traditional method of implementing a permutation. 

25 

Input-Ordered Permutation (Background Art) : 

void perm2(bcol dataln[64], bool dataOut [64 3, int tablel (64]) { 
inc i; 

30 

for (i = 0; i < 64; i+r) { 

dataOut [tablel [i] ] = dataln[i]; 



35 

[0053] This example is input-ordered, meaning that processing steps are performed in the order (or inverse order) in 
which the input bits are supplied. In the example, input bit 0 is permuted first, and input bit 63 is permuted last. Output- 
ordered permutations are also commonly used in the background art. Provided that table is a permutation (i.e., where 
40 one element equals each of the values 0...63), the pseudocode below can be made output-ordered by changing the 
statement inside the loop to read: "dataOut [i] = dataln [table2 [i]]; where table2 is output-ordered (i.e., table2 is the 
inverse of tablel above such that tablel [table2 [i]] = i). 

[0054] However, both output-ordered and input-ordered permutations can leak information about the data they process. 
For example, in the input-ordered permutation, attackers' measurements of loop iteration i will be correlated to data In 
45 p], in the output-ordered permutation, the attackers' measurements of loop iteration i will be correlated to dataOut [i]. 
An improved permutation method would thus be advantageous. One exemplary implementation of such a method is 
shown in the table below. This high-entropy permutation combines several previously-described aspects of the present 
invention, including without limitation order randomization (thus being neither input-ordered nor output-ordered) and 
blinding techniques (to conceal further the data being permuted). 

50 
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Blinded High-Entropy Permutation: 



idefine SWAP (a, b) ( register int t 
idefine LOOPCOUNT 128 



a; a = b; b = t; ) 



void perm3(bool dataln[64j, bool dataOut [64], int table (64]) ( 
unsigned char t rue Random (void) ; /* gives random byte */ 

int i,p; 
int perm ( 64 ] ; 
bool b, temp [ 64 ] ; 

/* Initialize random permutation */ 
for (i = 0; i < 64 ; i++) { 
permfi] - i; 

tempfi] ~ trueRandomO & 1; 
dataOut[i) = trueRandomO & 1; 

» 

for (i » 0; i < LOOPCOUNT; i + +) { 

p = trueRandomO & 63; /* random number mod 64 */ 

- SWAP (perm [p] , perm[i&63]); 

} 

/* Blind: temp=blinded input, dataOut=unbiinding factor */ 
for (i = 0; i < 64; i++) i 
p = perm( i] ; 

b = (bool) (trueRandom( ) & 1) ; 
temp[p] = datalnfpj A b; 
dataOut (table [p] ] = b; 

} 

for (i = 0; i < LOOPCOUNT; i++) { . 

p = trueRandomO & 63; /* random number mod 64 */ 

SWAP (perm (p) , perm f i&63 J ) ; 

I 



/* Perform the permutation on temp L unbiind "/ 
for (i = 0; i < 64; i++) { 
p = perm(i] ; 

dataOut [table [p] 1 temp[p]; 
tempfp] = 0; 

\ 



40 

[0055] The magnitude of signals leaked due to variations in data values (e.g., registers and memory contents) is 
usually smaller (often by a factor of several orders of magnitude) than signals leaked due to branches and variations in 
the execution path. Therefore, the high-entropy permutation operation, above, uses a constant execution path to inhibit 
leakage via variations in the execution path. 

45 [0056] The exemplary blinded randomized-order permutation operation includes four steps, which can be performed 
separately or simultaneously: initialization, blinding, permutation, and unblinding. Implementations using partial blinding, 
which operate on already-blinded values, or those with reduced security requirements will not require all steps. 
[0057] Initialization of the blinded randomized-order permutation operation involves constructing and randomizing a 
permutation table (■perm") for determining the bit order for operations. (Bit order permutation table "perm" randomizes 

so the time at which any particular data bit is manipulated.) The bit order table is created in two passes, where the first 
assures that the table has the correct form (i.e., contains the numbers zero through 63), and the second introduces 
random order into the table. Because the process of constructing the bit order table does not involve any secret inputs, 
the only security requirement for the process is that the final result be unknown to attackers. As illustrated, the first 
permutation table initialization loop can also place random values into dataOut and temp to help whiten any leaked 

55 signals when data values are first stored in these arrays. Finally, although it is not required, more than 64 iterations of 
the randomization loop are used to ensure that any statistical biases remaining after the randomization loop are insig- 
nificantly small. 

[0058] The next section of the code performs the blinding operation. First, for each loop iteration, a random number 
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generator produces a random blinding bit. The temporary buffer (temp) is initialized with the XOR of the random bit and 
an input data bit, where the input data bit is selected according to the table (perm) constructed previously. Additionally, 
the output buffer (dataOut) is initialized with the blinding bit, where the dataOut bit is the result of using the input 
permutation table to operate on the index to temp. The second part of the blinding process re-randomizes the bit order 
s permutation table (perm). 

[0059] The last section performs the final bit permutation and unblinding steps. Input bits are loaded in the order 
specified by the table (perm), permuted according to the (non-secret) externally-specified permutation table (table), and 
XORed onto the destination table (dataOut). 

[0060] Note that the leak-minimized permutation operation described dramatically reduces the amount of information 
10 leaked from a permutation operation, but is not necessarily expected to reduce such leakage to zero. The input data to 
the function arrives in fixed order and unblinded form, and the output is similarly supplied unblinded in fixed order. 
Consequently, two or more measurements from the same transaction might (for example) be correlated to each other 
such that the strength or sign of the correlation is a function of one or more input or output data bits. If inputs and/or 
outputs must be kept secret or if multiple permutations are to be performed on the same secret data (for example, through 
15 a multi-step operation such as encryption), operands can be maintained in a blinded state during processing, to be 
(partially or completely) reconstituted only when nonlinear operations must be performed or at the end of the computation. 
[0061] Note that many variations on the process described are possible, as will be understood to those skilled in the 
art. For example and without limitation, the number of bits manipulated does not need to equal 64, the order of steps 
may be changed, steps can be removed for simplified implementations (such as those that are not subject to some 
20 attacks), steps can be modified, different permutation generation and update processes can be used, and additional 
steps can be added. 

Other Considerations 

25 [0062] Cryptographic operations should normally be checked to ensure that incorrect computations do not compromise 
keys or enable other attacks. Cryptographic implementations of the present invention can be combined with error- 
detection and/or error-correction logic to ensure that cryptographic operations are performed correctly. For example, a 
simple and effective technique is to perform cryptographic operations twice, ideally using two independent hardware 
processors and/or software implementations, with a comparison operation performed at the end to verify that both 

30 produce identical results. If the results produced by the two units do not match, the failed comparison will prevent the 
defective processing result from being used. In situations where security is more important than reliability, if the compare 
operation ever fails (or fails too many times) the device may self-destruct (such as by deleting internal keys) or disable 
itself. For example, a device might erase its key storage memory if either two defective DES operations occur sequentially 
or five defective DES results occur during the lifetime of the device. In some cryptosystems, full redundancy is not 

35 necessary. For example, with RSA, methods are known in the background art for self checking functions that can be 
incorporated into the cryptosystem implementation (e.g., RSA signatures can be verified after digital signing operations). 
[0063] Detection of conditions likely to cause incorrect results may also be used. In particular, active or passive sensors 
to detect unusually high or low voltages, high-frequency noise on voltage or signal inputs, exposure to electromagnetic 
fields and radiation, and physical tampering may be employed. Inappropriate operating conditions can (for example) 

to trigger the device to reset, delete secrets, or self-destruct. 

[0064] Self-diagnostic functions such as a POST (power-on-self-test) should also be incorporated to verify that cryp- 
tographic functions have not been damaged. In cases where an ATR (answer-to- reset) must be provided before a 
comprehensive self-test can be completed, the self-test can be deferred until after completion of the first transaction or 
until a sufficient idle period is encountered. For example, a flag indicating successful POST completion can be cleared 

45 upon initialization. While the card is waiting for a command from the host system, it can attempt the POST. Any I/O 
received during the POST will cause an interrupt, which will cancel the POST (leaving the POST-completed flag at zero). 
If any cryptographic function is called, the device will check the POST flag and (if it is not set) perform the POST before 
doing any cryptographic operations. 

so Conclusions 

[0065] The present invention is extremely useful for improving security, particularly in environments and applications 
with difficult engineering requirements, by enabling the construction of devices that are significantly more resistant to 
attack than devices of similar cost and complexity that do not use the present invention. Also, multiple security techniques 
55 may be required to make a system secure. For example, leak minimization and obfuscation may be used in conjunction 
with other security methods or countermeasures. 

[0066] As those skilled in the art will appreciate, the techniques described above are not limited to particular host 
environments or form factors. Rather, they may be used in a wide variety of applications, including without limitation: 
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cryptographic smartcards of all kinds including without limitation smartcards substantially compliant with ISO 781 6-1 , 
ISO 7816-2, and ISO 7816-3 ("ISO 7816-compliant smartcards' 1 ); contactless and proximity-based smartcards and 
cryptographic tokens; stored value cards and systems; cryptograph ically secured credit and debit cards; customer loyalty 
cards and systems; cryptograph ically authenticated credit cards; cryptographic accelerators; gambling and wagering 

5 systems; secure cryptographic chips; tamper-resistant microprocessors; software programs (including without limitation 
programs for use on personal computers, servers, etc. and programs that can be loaded onto or embedded within 
cryptographic devices); key management devices; banking key management systems; secure web servers; electronic 
payment systems; micropayment systems and meters; prepaid telephone cards; cryptographic identification cards and 
other identity verification systems; systems for electronic funds transfer; automatic teller machines; point of sale terminals; 

io certificate issuance systems; electronic badges; door entry systems; physical locks of all kinds using cryptographic keys; 
systems for decrypting television signals (including without limitation, broadcast television, satellite television, and cable 
television); systems for decrypting enciphered music and other audio content (including music distributed over computer 
networks); systems for protecting video signals of all kinds; intellectual property protection and copy protection systems 
(such as those used to prevent unauthorized copying or use of movies, audio content, computer programs, video games, 

'5 images, text, databases, etc.); cellular telephone scrambling and authentication systems (including telephone authen- 
tication smartcards); secure telephones (including key storage devices for such telephones); cryptographic PCMCIA 
cards; portable cryptographic tokens; and cryptographic data auditing systems. All of the foregoing illustrates exemplary 
embodiments and applications of the invention. 

20 

Claims 

1 . Acryptographic processing device for securely performing acryptographic processing operation in a manner resistant 
to discovery of a secret by external monitoring of the device's electric power consumption, the device comprising: 

25 

an input interface (210) for receiving a quantity to be cryptographically processed; 
a source (101) of unpredictable information; 

a processor (225) connected to said input interface (1 10) for receiving and cryptographically processing said 
quantity; 

30 an output interface (110) for outputting said cryptographically processed quantity to a recipient thereof; 

a hardware-implemented noise production sub-unit (1 05) connected to said source of unpredictable information 
and configured to expend unpredictable amounts of power based on the output of said source of unpredictable 
information; and 

an activation controller (103)i which may be activated by software contained in said device, to activate and 
35 deactivate said expending of unpredictable amounts of power. 

2. The device of claim 1 wherein said input interface and said output interface are constituted by the same element (1 1 0). 

3. The device of claim 1 wherein said cryptographic processing operation includes transforming a message with the 
40 Data Encryption Standard. 

4. The device of claim 1 including program logic to activate said expending during said processing. 

5. The device of claim 4 including program logic implementing said source.of unpredictable information, and program 
45 logic to transmit said unpredictable information to an additional power expending circuit contained in said device. 

6. The device of claim 1 wherein said source of unpredictable information (101) is a hardware-implemented random 
number generator, and wherein said noise production sub-unit includes a digital-to-analog converter (104). 

so 7. The device of claim 1 further comprising: 

a noise processing module (1 02) for improving the random characteristic of said unpredictable information. 

8. The device of claim 1 further comprising an input interface (210) for receiving an external clock signal (220), and 
55 monitoring means (240) for detecting a clock fault in said external clock signal and preventing said processor from 

processing said quantity if said clock fault is detected. 

9. A device according to claim 1 , wherein said device comprises an ISO 781 6 compliant smartcard. 
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10. A method of securely performing a cryptographic processing operation within a cryptographic processing device 
containing a microprocessor, in a manner resistant to discovery of a secret, by external monitoring of said device's 
electric power consumption, said power consumption varying measurably during said performance of said operation, 
said method comprising: 

receiving power at said device; 

receiving a quantity (270) to be cryptographically processed; 

said microprocessor (225) enabling a hardware-implemented noise production sub-unit (100, 105, 200); 
using an output (205) of said noise production sub-unit to conceal a correlation between said device's power 
consumption and said secret by expending unpredictable amounts of power by introducing noise (100, 101, 
102, 104, 105) into said power consumption white cryptographically processing said quantity; and 
outputting said cryptographically processed quantity to a recipient thereof. 

11. The method of claim 10 wherein said step of introducing noise comprises: 

generating initial noise having a random characteristic (1 01 , 200); 
improving the random characteristic of said initial noise (102); and 
varying said power consumption based on said improved initial noise. 

12. The method of claim 10 further comprising the steps of receiving an external clock signal (220), monitoring (240) 
for a clock fault in said external clock signal, and preventing said processor (225) from outputting said cryptograph- 
ically processed quantity if said clock fault is detected. 



Patentanspruche 

1. Kryptographische Verarbeitungsvorrichtung zum sicheren Ausfuhren eines kryptographischen Verarbeitungsvor- 
gangs auf gegen die Entdeckung eines Geheimnisses bestandige Weise, durch externe Oberwachung der elektri- 
schen Leistungsaufnahme der Vorrichtung, wobei die Vorrichtung Folgendes umfasst: 

eine Eingangsschnittstelle (210) zum Empfangen einer kryptographisch zu verarbeiteten GroBe; 
eine Quelle (1 01 ) unvorhersagbarer Informationen; 

einen mit der genannten Eingangsschnittstelle (1 1 0) verbundenen Prozessor (225) zum Empfangen und kryp- 
tographischen Verarbeiten der genannten GroBe; 

eine Ausgangsschnittstelle (1 1 0) zum Ausgeben der genannten kryptographisch verarbeiteten GroBe an einen 
Empfanger derselben; 

eine hardwareimplementierte Rauscherzeugungs-Untereinheit (105), die mit der genannten Quelle unvorher- 
sagbarer Informationen verbunden ist und dazu konfiguriert ist, unvorhersagbare Mengen von Leistung, basie- 
rend auf dem Ausgang der genannten Quelle unvorhersagbarer Informationen zu verbrauchen; und 
einen Aktivierungskontroller (1 03), der durch in der genannten Vorrichtung enthaltene Software aktiviert werden 
kann, urn den genannten Verbrauch unvorhersagbarer Mengen von Leistung zu aktivieren und zu deaktivieren. 

2. Vorrichtung nach Anspruch 1, wobei die genannte Eingangsschnittstelle und die genannte Ausgangsschnittstelle 
durch das selbe Element (1 10) gebildet werden. 

3. Vorrichtung nach Anspruch 1 , wobei der genannte kryptographische Verarbeitungsvorgang das Umwandeln einer 
Nachricht mit dem Data Encryption Standard umfasst. 

4. Vorrichtung nach Anspruch 1 , mit Programmlogik zum Aktivieren des genannten Verbrauchs wahrend der genannten 
Verarbeitung. 

5. Vorrichtung nach Anspruch 4, mit Programmlogik, die die genannte Quelle unvorhersagbarer Informationen imple- 
mentiert und Programmlogik zum Ubertragen der genannten unvorhersagbaren Informationen an eine zusatzliche, 
in der genannten Vorrichtung enthaltene, Leistung verbrauchende Schaltung. 

6. Vorrichtung nach Anspruch 1, wobei es sich bei der genannten Quelle unvorhersagbarer Informationen (101) urn 
einen hardwareimplementierten Zufallszahlengenerator handelt und wobei die genannte Rauscherzeugungs-Un- 
tereinheit einen Digital-Analog-Wandler (104) umfasst. 
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7. Vorrichtung nach Anspruch 1 , die weiter Folgendes umfasst: 

ein Rauschverarbeitungsmodul (1 02) zum Verbessern der Zufallscharakteristik der genannten unvorhersagba- 
ren Informationen. 

5 

8. Vorrichtung nach Anspruch 1 , weiter umfassend eine Eingangsschnittstelle (21 0) zum Empfangen eines externen 
Taktsignals (220) und Uberwachungsmittel (240) zum Erkennen eines Taktfehlers im genannten externen Taktsignal 
und zum Verhindern, dass der genannte Prozessor die genannte GroBe verarbeitet, wenn der genannte Taktfehler 
erkannt wird. 

w 

9. Vorrichtung nach Anspruch 1 , wobei die genannte Vorrichtung eine Chip-Karte gemaB ISO 781 6 umfasst. 

10. Verfahren des sicheren Ausfuhrens eines kryptographischen Verarbeitungsvorgangs in einer einen Mikroprozessor 
enthaltenden kryptographischen Verarbeitungsvorrichtung auf gegen die Entdeckung eines Geheimnisses bestan- 

15 dige Weise, durch externes Uberwachen der elektrischen Leistungsaufnahme der genannten Vorrichtung, wobei 

sich die genannte Leistungsaufnahme wahrend des genannten Ausfuhrens des genannten Vorgangs messbar 
verandert, wobei das genannte Verfahren Folgendes umfasst: 

Empfangen von Leistung an der genannten Vorrichtung; 
20 Empfangen einer kryptographisch zu verarbeitenden GroBe (270); 

Aktivieren einer hardwareimplementierten Rauscherzeugungs-Untereinheit (100, 105, 200) durch den genann- 
ten Mikroprozessor (225); 

Verwenden eines Ausgangs (205) der genannten Rauscherzeugungs-Untereinheit zum Verbergen einer Kor- 
relation zwischen der Leistungsaufnahme der genannten Vorrichtung und dem genannten Geheimnis durch 
25 Verbrauchen unvorhersagbarer Mengen von Leistung durch Einfuhren von Rauschen (1 00, 1 01 , 1 02, 1 04, 1 05) 

in die genannte Leistungsaufnahme wahrend der kryptographischen Verarbeitung der genannten GroBe; und 
Ausgeben der genannten kryptographisch verarbeiteten GroBe an einen Empf anger derselben. 

11. Verfahren nach Anspruch 10, wobei der genannte Schritt des Einfuhrens von Rauschen Folgendes umfasst: 

30 

Erzeugen von Anfangsrauschen mit einer Zufallscharakteristik (101 ,200); 
Verbessern der Zufallscharakteristik des genannten Anfangsrauschens (1 02); und 

Verandern der genannten Leistungsaufnahme basierend auf dem genannten verbesserten Anfangsrauschen. 

35 12. Verfahren nach Anspruch 10, weiter umfassend die Schritte des Empfangens eines externen Taktsignals (220), 
des Oberwachens (240) auf einen Taktfehler im genannten externen Taktsignal und des Verhinderns, dass der 
genannte Prozessor (225) die genannte kryptographisch verarbeitete GroBe ausgibt, wenn der genannte Taktfehler 
erkannt wird. 



Revendications 

1 . Dispositif de traitement cryptograph ique destine a realiser de maniere securisee une operation de traitement cryp- 
tographique de maniere a resister a la decouverte d'un secret par surveillance externe de la consommation de 

45 puissance electrique du dispositif, dispositif comportant : 

une interface d'entree (210) pour recevoir une quantite a traiter par cryptographie ; 
une source (101) d'informations imprevisibles ; 

un processeur (225) connecte a ladite interface d'entree (110) pour recevoir et traiter ladite quantite par 

so cryptographie ; 

une interface de sortie (110) pour delivrer ladite quantite traitee par cryptographie a son destinataire ; 
une sous-unite (105) de production de bruit implemented materiellement connectee a ladite source d'informa- 
tions imprevisibles et configured de facon a utiliser des quantites imprevisibles de puissance basees sur la 
sortie de ladite source d'informations imprevisibles ; et 

55 un controleur d'activation (1 03), qui peut etre active par un logiciel contenu dans ledit dispositif, pour activer et 

desactiver ladite utilisation de quantites imprevisibles de puissance. 

2. Dispositif selon la revendication 1 dans lequel ladite interface d'entree et ladite interface de sortie sont constitutes 
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du meme element (110). 

3.. Dispositif selon la revendication 1 dans lequel ladite operation de traitement cryptograph ique comprend la transfor- 
mation d'un message avec le Data Encryption Standard. 

5 

4. Dispositif seion la revendication 1 comprenant une logique de programme pour activer ladite utilisation durant ledit 
traitement. 

5. Dispositif selon ta revendication 4 comprenant une logique de programme implementant ladite source d'informations 
10 imprevisibles, et une logique de programme pour transmettre lesdites informations imprevisibles a un circuit sup- 
plemental utilisant de la puissance situe dans ledit dispositif. 

6. Dispositif selon la revendication 1 dans lequel ladite source d'informations imprevisibles (101) est un generateur 
de nombres aleatoires implements materiellement, et dans lequel ladite sous-unite de production de bruit comprend 

15 un convertisseur (104) numerique-analogique. 

7. Dispositif selon la revendication 1 comportant en outre : 

un module (1 02) de traitement du bruit pour ameliorer la caracteristique aleatoire desdites informations impre- 
20 visibles. 

8. Dispositif selon la revendication 1 comportant en outre une interface (210) d'entree pour recevoir un signal (220) 
d'horloge externe, et des moyens (240) de surveillance pour detecter une anomalie d'horloge dans ledit signal 
d'horloge externe et empecher ledit processeur de trailer ladite quantite si ladite anomalie d'horloge est detectee, 

25 

9. Dispositif selon la revendication 1 , dans lequel ledit dispositif comporte une carte a puce conforme a la norme ISO 
7816. 

1 0. Precede de realisation d'une operation de traitement cryptograph ique de maniere securisee a I'interieurd'un dispositif 
30 de traitement cryptographique contenant un microprocesseur, de maniere a resister a la decouverte d'un secret par 

surveillance externe de la consommation de puissance electrique dudit dispositif, et ladite consommation de puis- 
sance variant d'une maniere mesurable durant ladite realisation de ladite operation, ledit procede consistant a: 

recevoir une puissance audit dispositif ; 
35 recevoir une quantite (270) a traiter par cryptographie; 

ledit microprocesseur (225) faisant demarrer une sous-unite (1 00, 1 05, 200) de production de bruit implementee 
materiellement ; 

se servir d'une sortie (205) de ladite sous-unite de production de bruit pour cacher une correlation entre ladite 
consommation de puissance du dispositif et ledit secret en utilisant des quantites imprevisibles de puissance 
40 par introduction de bruit (1 00, 1 01 , 1 02, 1 04, 1 05) dans ladite consommation de puissance pendant le traitement 

par cryptographie de ladite quantite ; et 

delivrer ladite quantite traitee par cryptographie a son destinataire. 

11. Procede selon la revendication 10 dans lequel ladite etape d'introduction de bruit consiste a : 

45 

generer un bruit initial presentant une caracteristique aleatoire (1 01 , 200); 
ameliorer la caracteristique aleatoire dudit bruit initial (102) ; et 

faire varier ladite consommation de puissance en se basant sur ledit bruit initial ameliore. 

so 1 2. Procede selon la revendication 1 0 comportant en outre les etapes consistant a recevoir un signal d'horloge externe 
(220), a surveiller (240) pour savoir s'il y a une anomalie d'horloge dans ledit signal d'horloge externe, et a empecher 
ledit processeur (225) de delivrer ladite quantite traitee par cryptographie si ladite anomalie d'horloge est detectee. 



55 
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FIG. 2 
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